ALERT: Serious Security Flaw in USB Drives

Undetectable malware can be hidden in any USB flash drive, according to security researchers Karsten Nohl and Jakob Lell. This is very bad news for home users who pass around USB drives, and for corporate IT managers who may have to ban the popular devices from business networks. Read on to learn more about the USB devices, and what you need to do...

Is Malware Lurking in Your USB Gadget?

To demonstrate the vulnerability of USB drives, the researchers wrote some proof-of-concept malware (which we can only hope no one copies) called BadUSB. It is a collection of malicious apps that can modify any software installed from a USB drive on a target computer; completely take over control of an infected PC; and even redirect users’ Internet traffic.

Erasing or reformatting the USB drive does not destroy the malware, which hides in the USB device’s firmware that controls the drive’s basic functions. This previously unknown vulnerability is part of the USB standard’s design; as such, it can’t be eliminated without re-engineering every USB device.

“These problems can’t be patched,” says Nohl. “We’re exploiting the very way that USB was designed.” Noll and Lell plan to demonstrate their code at the BlackHat 2014 conference to be held on August 7th. That will either shine a bright light on the problem, or spawn a cottage industry of hacking USB devices, or both.

We've long known that using USB flash drives can be dangerous, because a virus can be stored as a file on the drive. But any decent anti-virus tool will catch that type of thing. However, standard anti-virus scans can't see or touch the firmware that controls a USB drive’s basic input/output functions. Security pros would have to reverse-engineer the firmware of a USB device and know what to look for in order to detect this threat. That would require some specialized expertise and equipment to analyze firmware.

It's Not Just Your Flash Drive...

But wait, the news gets worse: it’s not just USB flash drives that are vulnerable. Any USB device, from a mouse or keyboard to a digital camera or smartphone charger, contains firmware with the same exploitable vulnerability. While such devices aren’t shared among users as promiscuously as USB flash drives are, it’s very possible to pick up an infection from anything that plugs into a USB port.

As Noll says, you must "treat USB devices like hypodermic needles that can’t be shared among users." This drags safe computing, safe sex and drug use into the same murky metaphor pool. But it's a real problem that shouldn't be ignored.

The BadUSB demo malware suite can do a lot of evil tricks. It can sneak Trojan software past anti-malware defenses. It can imitate a USB keyboard and execute any commands on the target PC. It can hijack Internet traffic and change DNS settings to redirect a user’s outbound traffic to any server it pleases. If planted on a phone or other USB device with an Internet connection, it can eavesdrop on a user’s communications.

There is currently no way to ensure that your USB device’s firmware is clean of such malware. There are no digitally signed versions of USB firmware that can serve as certified “clean” standards.

The only defense against the USB attack vector is to jealously guard your USB devices. Don’t plug them into any port that is not a trusted device, say the experts. But following that protocol will drastically reduce the usefulness and convenience of USB devices.

For example, you can’t safely plug your flash drive or phone charging cable into a friend's computer, unless you are 100% certain that person's computer is virus-free. (Plugging into a USB port on a PUBLIC computer has never been safe.) Neither can you trust a flash drive, mouse, keyboard or digital camera that you've borrowed, bought used, or that has been used by someone who is not diligent about security. Presumably, USB devices purchased new will be safe.

What's The Solution?

USB device manufacturers will have to step up and address this problem. One solution is to implement “code signing,” an encrypted digital certificate that certifies a firmware package was clean when it left the factory and has not been altered. But first, we’ll have to convince OEMs that this is their problem, not just ours. And that solution will only fix the problem for new USB gadgets, not the untold millions already in circulation.

Nohl told Wired magazine that he contacted an unnamed USB drive maker and described his team’s findings. The vendor repeatedly denied that it was possible. Wired contacted the USB Implementers Forum, a trade organization that manages the USB standard. Its spokesperson responded with this statement:

“Consumers should always ensure their devices are from a trusted source and that only trusted sources interact with their devices,” she wrote. “Consumers safeguard their personal belongings and the same effort should be applied to protect themselves when it comes to technology.” In other words, it’s your problem and no concern of the people who sold it to you. That will not sit well with consumers.

Let me reiterate... any USB device (flash drive, external hard drive, smartphone, digital camera, mouse, keyboard, etc.) that has been plugged into an untrusted computer should be treated with suspicion -- much like a used hypodermic needle. Further, erasing, formatting, or using anti-virus tools will not remove malicious code from the firmware of USB devices. And there is no known method at this time to scan USB devices to see if they are clean.

So on a practical level, what should you do? I think it's important to recognize that this vulnerability is new, and (as far as we know) it hasn't been exploited yet. So it seems likely to me that we don't have USB gadgets with infected firmware in circulation, for now. My advice is that if you use USB devices, do so with this threat in mind from now on. A 32 GB flash drive sells for about $15. If you have a flash drive that's been connected to unknown or public computers, you might want to discard it.

Your thoughts on this topic are welcome. Post your comment or question below...

Most recent comments on "ALERT: Serious Security Flaw in USB Drives"

Bob - it gets worse! "If you have a flash drive that's been connected to unknown or public computers, you might want to discard it." Before I discard it, I'd want to erase it, and that means plugging it into a computer somewhere. A conundrum if I ever saw one! I guess it could be smashed with a hammer...

Posted by:
John
07 Aug 2014

If the anti malware can't access the firmware, how do the virus's access it and change it over the USB connection?

EDITOR'S NOTE: I don't understand all the techie stuff that happens at the operating system level when a USB device is inserted, but Really Smart People tell me they don't see any way for the OS to detect if there's malicious code coming from the USB device at that point.

Posted by:
Tom Janzen
07 Aug 2014

I wonder if using an SD card would be safe since it doesn't use a USB connection.

EDITOR'S NOTE: Good point. SD cards do not have this vulnerability, and will make a good alternative for some users.

Posted by:
jorge
07 Aug 2014

Is this danger universal, or only windows?
If it is so, maybe one can connect the u-drive to a Linux computer to check the alien...

Posted by:
sparkplug54
07 Aug 2014

If the problem is in the firmware, then it would have to be installed in the chip manufacturing process at the factory, right? Or does "firmware" mean something to you that it doesn't mean to me.

Posted by:
Marc de Piolenc
08 Aug 2014

This reads like a tempest in a teapot. Presumably, this "firmware" is stored in read-only memory, which means that a virus can only be planted at the factory. No manufacturer could afford the loss of business that would occur if even one of its drivers were found to have infected firmware, so I am quite certain that precautions are already in place. The only way to exploit this alleged vulnerability would be to set up one's own production line to make counterfeit USBs bearing fake, trusted brands. That requires an investment far beyond the means of a typical criminal hacker.

EDITOR'S NOTE: Unfortunately, not true. Firmware is not read-only, and can be modified.

Posted by:
edcav
08 Aug 2014

Next viral app: USB condoms!

Posted by:
SUNIL
08 Aug 2014

This is a bad problem. Question is whether this threat is for windows machines or all other OS'es also. If it is OS independent then we might as well stop using USBs and disconnect. Every need cannot be fulfilled by networking computers and one cannot get on a network always.

Posted by:
David
08 Aug 2014

Pat, it may have been a long time since you worked on firmware. I don't need any special equipment to update the firmware of my router, for example; I download a firmware update app and it updates the firmware.

Jim, to patch bad software one must first determine what good software looks like. Every USB device has its own firmware written by its maker; even different models and capacities of USB drives from the same maker may have slightly but significantly different firmware. That's a lot of different firmware parcels to reverse-engineer, for a third-party antivirus developer.

The USB device makers simply must digitally sign their firmware so that it can be tested by third-party software and verified as "good." That they shirk this duty and just say, "consumer beware" is willful, knowing, reckless endangerment. Somebody's begging for a class action lawsuit.

But now that the cat's out of the bag, I expect to see "secure firmware" highlighted as a selling point on USB device packaging in the near future.

I don't know if I'll believe that label, but we have white hat hackers to test such claims.

Posted by:
Jeff
08 Aug 2014

The exploit was discovered and made public *now* ... by *one* group of researchers... that's no oroof it hasn't been discovered by others before... who exploited it instead of publishing it. And if we didn't know to look here before now, we wouldn't have known if it was *already* being used/exploited... damn the potential disruption here is really, really ugly...

Posted by:
John L Brown
08 Aug 2014

Bob, are you indicating that, on the one hand, if a USB drive, that is infected with a virus or malware is connected to my computer, and my security software cannot scan/detect it; does that mean that the virus/malware is functional, only within the USB drive connected, and if I simply discard the suspect USB drive, this particular problem is ‘solved?’ In other words, is discarding a potentially infected USB drive the equivalent of purging the infection? Of course, I’m assuming the infection was not injected, and missed by my security software. Thank you.

EDITOR'S NOTE: No, unplugging or discarding the USB drive will not solve the problem, as I understand it.

Posted by:
Spock
08 Aug 2014

Thanks Bob for bringing this to the attention of the hacking community. They now have something new to work on.

EDITOR'S NOTE: As much as I'd like to take credit, I can't. You can thank the researchers who originally published their findings, and yesterday presented this to the global BlackHat 2014 conference.

Posted by:
Jo
08 Aug 2014

What about USBs sticks that have hardware encryption built in. Are they immune from this issue ?

EDITOR'S NOTE: No, the encryption is only protecting the files on the disk, not the firmware.

Posted by:
Rach
08 Aug 2014

Is it still OK to use CD and DVDs? If a computer has a trojan that has been quarantined, can the trojan jump to a USB drive that is later attached to the computer?

EDITOR'S NOTE: This problem does not affect CDs, DVDs or SD cards. If a virus is quarantined, it can't go anywhere.

Posted by:
Sam
10 Aug 2014

What about USB card readers? They too use the USB port...

Posted by:
souprman
10 Aug 2014

To alter firmware you have to burn it to the chip (EPROM what ever). Most burning programs have a warning notification before the burn begins, but they don't have to. We need an app where before ANY program executes, it examines the code and places a burn warning, if present. Just plugging a USB drive in would start the app. The same could be installed on a phone - kind of a little "prophilatic" app.

Posted by:
rocketride
12 Aug 2014

The real question (at least for USB drives) is why do they even have updateable firmware? Why not just plain, old ROM? Has ANY manufacturer of thumb drives, since Ogg carved the first one out of an antelope's thighbone, EVER issued a legitimate firmware upgrade for it? Certainly, if it had happened much, we'd already all have seen it happen and become aware that USB controller firmware is upgradeable and potentially hackable.

OTOH, other devices (cameras, external hard drives and the like) can and do need upgrading and making them less vulnerable (never mind invulnerable) is going to be a worse, perhaps intractable problem.

@ Tom Janzen
I wonder if using an SD card would be safe since it doesn't use a USB connection.

EDITOR'S NOTE: Good point. SD cards do not have this vulnerability, and will make a good alternative for some users.

The other reason to use SD cards at photo kiosks, for instance, is that handy little Write Lock slide switch.

Posted by:
MmeMoxie
17 Aug 2014

Thanks Bob ... I have been considering using some USB Flash Drives, to help some of my family out, when they have PC issues. I will now ... Completely, delete that whole idea!!!

This is reminiscent of the old days, when everybody was using Floppy Disks, to transport information back and forth, for their business and all of the virus infections, that occurred, during that time!!! I know, the old Floppy Disks, did not have firmware, but, they were such an easy source, to promote the passing of the viruses, that got on the disks, to other PCs.

The USB Flash Drives and Sticks are a whole different ball game, though!!! This is some serious stuff. I really do, have to wonder why China is doing this to the world, in general. I easily, could think, it is for world domination, and that is partly, the truth. The world is so Internet connected, that "He who holds the power ... Is the one in charge." I am thinking of all the hospitals, doctor's offices and many, many medically related business', who will be affected by this information. Medical Patient Confidentiality is definitely being threatened!!!

Again, I ponder ... Why must we have good advancement on technology ... To only, have it destroyed and compromised by governments, hackers and crackers???!!!

Posted by:
Diane
24 Aug 2014

I am forced by my college to save my work on a flash drive & then work on it on my own computer at home. Is there any device that I can use as an intermediary for reading the files off my school-used flash drive and then safely copying them to my computer without also transferring any malware in the flash drive's firmware?

Posted by:
Sandy B
01 Jan 2015

What about the external Hard Drive.It's like a giant usb stick. If a usb stck can be infected then dont see how the HDD that I back up my data to can be safe.

EDITOR'S NOTE: I think we have to go with the assumption that USB devices purchased new, or those that have not been connected to untrusted computers will be safe.

Post your Comments, Questions or Suggestions

* Name:
* Email:
(* = Required field)

(Your email address will not be published)

Comments: (you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.